How to view ssh public key "fingerprint" on the switch?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi Guys,

A quick question for you. How do l view ssh public key "fingerprint" on the switch when presented using PuTTy? 

Photo of Mykhaylo Skrypka

Mykhaylo Skrypka

  • 936 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,578 Points 5k badge 2x thumb
Hi

I believe they are stored in the registry:



-Gareth
Photo of Transporter

Transporter

  • 222 Points 100 badge 2x thumb
Hi Gareth,

Thank you for your reply. But l want to check it on the switch side, not from the PuTTy. Sorry question wording is not clear. Will edit it in a bit
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,578 Points 5k badge 2x thumb
Sorry my bad,  I misread the question completely.
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Hi,

the output of "show ssh2 private-key" is a hex dump of the ASCII armored private key. The fingerprint shown by PuTTY is a hex dump of an MD5 checksum over the public key.

I'd like to request the introduction of "show ssh2 public-key" and "show ssh2 public-key fingerprint" commands in EXOS. The latter could even expose several fingerprint methods that are currently in use (MD5 hex dump, SHA256 base64 encoded, ASCII art). :-)

Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
To add some more info:

It should be possible to extract the public key from the private key using "ssh-keygen -y -f", but at least EXOS 15.3 shows an encrypted key with unknown passphrase.

An EXOS 21.1 VM shows an unencrypted private key that can be transformed to be used as input to "ssh-keygen -y -f", which correctly extracts the public key in base64 encoded form. This can be used with "ssh-keygen -l -f" to display the fingerprint.

That is quite a tedious procedure, at least a command to show the fingerprint in the switch CLI would be useful.

Erik
Photo of Mykhaylo Skrypka

Mykhaylo Skrypka

  • 936 Points 500 badge 2x thumb
Hi Erik,


Thank you for your reply. I am unable to use these commands:

primary.cfg       Created by ExtremeXOS version 15.3.5.2                  154747 bytes saved on Wed Aug  3 01:58:43 2016
SW1-MGMT.7 # ssh-keygen -y -f
                ^
%% Invalid input detected at '^' marker.
SW1-MGMT.8 # show ssh2 public-key fingerprint
                        ^
%% Invalid input detected at '^' marker.
SW1-MGMT.9 #

The information you have provided is very useful. But it is related more to the Linux/Unix operation system.

Cheers,
Mykhaylo
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Sorry, those are Linux commands... The private key from EXOS show output can be transformed to be compatible with Linux tools. Those can be used on Linux to view the fingerprint. Unless the key shown by EXOS is encrypted with an unknown password.

The procedure is a bit involved, therefore I did not write down all of the steps.

Erik
(Edited)
Photo of Mykhaylo Skrypka

Mykhaylo Skrypka

  • 936 Points 500 badge 2x thumb
Hi Erik,

Ok good. Now l understood the whole process.

Thanks,
Mykhaylo
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi,

SSH authenticates both communication endpoints, server and client. The server is authenticated with the public host key in a "trust on first use" model. On the first connection, the fingerprint of the server's public key is displayed to the user, who has to decide whether to trust this key or not. This decision is facilitated by checking the server's public host key's fingerprint out-of-band, e.g. when connected via serial console.

Current EXOS does not support checking the host key fingerprint. :-(

To work around this limitation, one can copy the private key of the EXOS switch to e.g. a GNU/Linux system, and then use tools usually available on GNU/Linux to determine the fingerprint. This works for not encrypted private keys only. The private key of a device should not be copied to another system, as such the copied key needs to be securely deleted after generating the fingerprint.

  1. Display private host key on EXOS
    show ssh2 private-key
    
  2. Copy&paste private key to file privkey.exos on GNU/Linux
    touch privkey.exos
    chmod 0600 privkey.exos
    cat > privkey.exos
  3. Convert EXOS key format to OpenSSH format on GNU/Linux
    touch privkey.openssh
    chmod 0600 privkey.openssh
    tr -dc '[:xdigit:]' < privkey.exos | xxd -p -r > privkey.openssh
  4. Generate public key from private key on GNU/Linux
    ssh-keygen -y -f privkey.openssh > pubkey.openssh
  5. Remove private key files (may not be secure) on GNU/Linux
    shred -u privkey.exos privkey.openssh
  6. Generate fingerprint on GNU/Linux
    ssh-keygen -l -f pubkey.openssh | cut -d' ' -f2
The public key may be disclosed, deletion is not necessary. Step two can be omitted if you copy&paste directly into "tr".

Best regards,
Erik
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Very clever Erik.  I'll make sure Drew gets this to our Dev team as a point of discussion.
Photo of Mykhaylo Skrypka

Mykhaylo Skrypka

  • 936 Points 500 badge 2x thumb
Hi Erik,

Wow, thanks for this. Really detailed answer. 

Thanks all,
Mykhaylo